Posted by: Eric Hansen
I’ll be honest, I was torn on whether to post about this or not. On one hand its perfect for this blog as it mentions security…on the other hand, it kind of opens up new doors for stalkers. But, here I go.
I’ve never heard of this service before, but apparently there’s a social media website out there called Skout, which basically is a 4square service for meeting up. There was a recent article though on a blog (http://corte.si/posts/security/skout/index.html) that mentioned that Skout was sending back more in the API than they should. Namely the concern was the geographical coordinates of the user (longitude and latitude).
This issue has been resolved, but it got me wondering, what other services leak such sensitive information? I know Facebook’s tagging system works by ID, but what about when its trying to find your location? It goes through your phone’s GPS system, that’s sent over the air, nothing is saying that the data is encrypted. Its one reason why I prefer open-source, but that’s a different topic.
When you create an API for your service, whether it be web or not, you have to consider what you are returning as well as receiving. If you’re going to just dump the records into a JSON object and return it, then why not just let the user have free reign over your server? You’re essentially doing the same thing. Not to mention, returning only what you need speeds up the process.